---
title: Detecting and defending against rootkits
course: intro_pentest
section: "Maintaining Access with Backdoors and Rootkits"
layout: lesson
---

Let’s break from the normal convention of this course and take a minute to
discuss a few defensive strategies for dealing with rootkits. That’s quite
simple:

* Closely monitor the information you put onto the Internet.
* Properly configure your firewall and other access controls.
* Patch your systems.
* Install and use antivirus software.
* Make use of an intrusion detection system.

Although the list ain’t nearly complete, it’s a good starting point for
defending systems. However, even with all of those processes in place, rootkits
can still pose a danger.

Defending against and detecting rootkits takes a few extra steps. It is
important to understand that to configure and install a rootkit, administrative
access is required. So the first step in avoiding rootkits is to deprivelege
your users. It isn’t uncommon to find networks that are loaded with Windows
machine where every user is a member of the administrator group. Usually when
inquiring as to why every user is an administrator, the system admins simply
just shrug or provide some lame excuse about the user needing to be
administrators to run a particular piece of software. Really? Come on, this
ain’t 1998. There are very few legitimate reasons for allowing your users to run
around with full admin rights. With most moderns operating systems, you have the
ability to temporarily elevate your with the "`su`" or "`Run As`" commands.

Although it is true that many rootkits function at the kernel level and have the
ability to avoid detection by antivirus software, installing, using and keeping
the software up-to-date is critical. Some rootkits, especially the older and
less sophisticated versions can be detected and cleaned by modern antivirus
software.

Monitor the traffic coming into and going out of your network. Many
administrators are great at monitoring and blocking traffic as it flows into the
network. They spend days and even weeks honing their rules sets to block
incoming traffic. At the same time, many of these admins completely ignore all
outbound traffic. They become so focused on the incoming traffic that they
forget to watch what is leaving. Monitoring outbound traffic can be vital in
detecting rootkits and other malware.

Another good tactic for detecting rootkits and backdoors is to regularly port
scan your systems. Make note of each open port on each of your systems. If you
find a system with an unknown port open, be sure to track down the PC and
identify the rogue service.

Tools like Rootkit Revealer, Vice and F-Scure’s Blacklight are some great free
options for revealing the presence of hidden files and rootkits. Unfortunately,
once a rootkit has been installed, it can be very difficult to remove, or at
least to remove completely. Sometimes, rootkit removal requires you to boot your
machine into an alternate operating system and mount your original hard drive.
By booting your machine to an alternate operating system or mounting the drive
to another machine, you can scan the drive more thoroughly. Because the original
operating system won’t be running and your scanner won’t be using API calls to
an infected system, it’s more likely you’ll be able to discover and remove the
rootkit. Even with all this, your best bet is to simply wipe the system,
including a full format, and start over.
